<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head></head>
<body><h2 class="Welcome">Using RPCSEC_GSS with NFS-GANESHA</h2>NFS-GANESHA
supports RPCSEC_GSS with krb5 authentication. It use the libgssrpc
library provided with the krb5 distribution. For having a clean
distribution of this libraray you must install krb5-1.6 at least.<br><br>Enabling RPCSEC_GSS support is done at "./configure" time. You should use something like<br><div style="margin-left: 40px;"># ./configure --with-fsal=&lt;desired FSAL&gt; &nbsp;--enable-gssrpc</div><br>Configuration follows several steps:<br><br><ul><li>Your
client is to be configured as if it would mount a linux nfsd server.
You have to set up the kernel modules, the keytabs, the rpc.gssd and
rpc.ipmapd must be running</li></ul><ul><li>In the configuration file for NFS-GANESHA you must have the following block</li></ul><div style="margin-left: 80px;">&nbsp;&nbsp;&nbsp; &nbsp;NFS_KRB5<br>{<br>&nbsp;&nbsp; PrincipalName = nfs@&lt;yourhost&gt; ;<br>&nbsp;&nbsp; KeytabPath = /etc/krb5.keytab ;<br>&nbsp;&nbsp; Active_krb5 = YES ;<br>}<br>&nbsp;&nbsp; <br></div>&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; The principal name should contain the nfs server
hostname, the keytab must contain slots related to nfs/&lt;nfs server
hostname&gt;<br><ul><li>No rpc.gssd or rpc.svcgssd or rpc.ipmad is required on the host running NFS-GANESHA, it does what these daemons do internally</li><li>Perform your mount command</li><ul><li style="font-family: monospace;"><big>mount -t nfs4 -o sec=krb5 &lt;nfs-ganesha server&gt;:&lt;path&gt; /mnt</big></li><li>or <big><span style="font-family: monospace;">mount -t nfs4 -o sec=krb5i &lt;nfs-ganesha server&gt;:&lt;path&gt; /mnt</span></big></li><li>or <big><span style="font-family: monospace;">mount -t nfs4 -o sec=krb5p &lt;nfs-ganesha server&gt;:&lt;path&gt; /mnt</span></big></li></ul></ul>Remember:
when a user traverse a kerberized mount point, it must have a valid
kerberos ticket (basically, he used kinit to generate it), otherwise he
will receive a EPERM error.</body></html>